[Icecast] Protect Icecast Admin/Run on different port?

"Rücker, Thomas" thomas.ruecker at tieto.com
Wed Apr 3 11:37:28 UTC 2013


On 03/04/13 10:08, David Farrell wrote:
>
>
>
> On 3 April 2013 02:19, Philipp Schafft <lion at lion.leolix.org 
> <mailto:lion at lion.leolix.org>> wrote:
>
>     reflum,
>
>     On Thu, 2013-03-28 at 14:28 +0000, David Farrell wrote:
>     > Hi list,
>     >
>     > We're new to Icecast and we're looking at securing the admin
>     functions.
>     > I've trawled the docs but it's not clear to me if we are able to run
>     > this on a different TCP port to the streams themselves.
>     >
>     > Has anyone with a little more experience any insight into this?
>
> Hi Philipp,
>
> Thanks for your reply.
>
>     You can not run the admin interface on a diffrent port.
>     I also don't see how that should improve security.
>
> We would not expose the administrative port to the world, rather to a 
> range of trusted IP addresses.

Feel free to file a ticket at http://trac.xiph.org
It might not be too complicated to add a check that admin requests can 
only come through a certain port. Bonus points for sending patches.

>     Which kind of attac do you try to protect against? Maybe I can
>     help you
>     if you tell a bit more about your overall goal.
>
> The goal is just really to restrict administrative access to the systems.

If you really know what you're doing a light weight reverse proxy is 
currently the only option to filter that.
I can see that restricting requests to either an IP white-list or a port 
would be desirable for production environments.

>     In general: Use strong passwords. Avoid sending them in plain text.
>
>
> That is a given, I have yet to investigate what external AAA resources 
> we can use in this case e.g. RADIUS, LDAP.

Right now for admin access Icecast only supports http basic auth with 
optional SSL transport security. For listener and source connections we 
support forwarding the plain text authentication credentials to a 
back-end for validation.
Tickets and patches welcome.

Cheers

Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20130403/10f1e416/attachment.htm>


More information about the Icecast mailing list